Flowrex Safeguarding Policy

This policy explains how we protect your cryptocurrency assets as a client of our trading platform. We are committed to keeping your assets safe and accessible at all times. All measures described below comply with the EU Markets in Crypto-Assets (MiCA) regulation and other relevant standards.

Asset Protection Measures

Institutional-Grade Custody: We use secure, institutional-grade custody technology to store client crypto-assets. This includes advanced security hardware and software that are regularly audited and tested for vulnerabilities. Our custody solutions are designed with multiple layers of defense to prevent unauthorized access.
Multi-Party Custody Solutions: We implement multi-party custody arrangements (for example, multi-signature approval processes) to manage cryptographic keys. This means no single individual or system can move assets alone – multiple independent approvals are required for any transfer. This high-level measure greatly reduces the risk of theft or loss due to a single point of failure, ensuring that your assets remain secure even if one layer of security is compromised.
Encryption & Key Security: All private keys or other credentials used to access your crypto-assets are encrypted and stored in secure, distributed environments. We use strong encryption standards and strict access controls. Only authorized personnel, under dual-control procedures, can access the systems that manage client assets. These controls protect against unauthorized access and help ensure that your crypto-assets cannot be moved or accessed without the proper approvals.

Security & Continuity

ISO 27001-Compliant Processes: We follow international best practices for information security, including adherence to ISO 27001 standards. This means we have robust procedures for data protection, regular security audits, and continuous risk management. For example, we maintain up-to-date security software and conduct routine penetration testing to identify and address potential vulnerabilities proactively.
Backup & Disaster Recovery: Our platform has strong backup and disaster recovery measures in place to ensure business continuity. We regularly back up critical data (such as account balances and transaction records) in secure, off-site locations. In the unlikely event of a systems outage or data loss incident, we have a tested Disaster Recovery Plan that allows us to restore operations quickly. These backups and recovery processes are designed to be ISO 27001-compliant, meaning they meet rigorous standards for integrity and availability of data.
Incident Response Plan: We have a detailed incident response plan to address security incidents or other emergencies. If a cybersecurity incident occurs, our dedicated response team will immediately act to contain the issue, mitigate any damage, and protect client assets. This plan covers communication, investigation, and recovery steps and is regularly drilled and updated. By having a solid incident response in place, we can minimize disruptions and ensure that any issues are handled swiftly and transparently.
Business Continuity: Beyond IT recovery, we also maintain a Business Continuity Plan to keep our services running even under adverse conditions (such as natural disasters or other unforeseen events). This includes secondary systems and redundancies for key infrastructure, so we can continue operating or quickly resume operations. Our goal is that you will always have access to your assets and the ability to trade or withdraw, even if we encounter technical difficulties. We periodically test our continuity plans to ensure effectiveness and to give our clients confidence that we can handle extreme scenarios.

Withdrawals

We ensure that you can withdraw your funds safely and efficiently. The withdrawal process is designed to be straightforward for clients while maintaining strict security controls:

Initiating a Withdrawal: You can request a withdrawal of your crypto-assets at any time through our platform (via the website or mobile app). Provide the required details (such as the amount and your destination wallet address for crypto, or bank details for fiat currency) and submit the request. Our system will log your request immediately.
Verification Steps: For your protection, we verify each withdrawal request before releasing funds. This may involve a two-factor authentication (2FA) check, email confirmation, or other identity verification steps. For example, after you initiate a withdrawal, you might receive a confirmation code on your phone or email that you need to enter on the platform. In some cases (especially for large withdrawals or first-time withdrawals to a new address), our compliance team may perform additional manual checks to confirm it’s really you making the request. These verification measures ensure that only the rightful account owner can withdraw funds, preventing fraudulent or unauthorized withdrawals.
Processing Time: Once verification is successfully completed, we process the withdrawal promptly. Crypto-asset withdrawals are typically executed within minutes up to a few hours, depending on the blockchain network’s speed and congestion at that time. Fiat withdrawals (transferring money to your bank) are usually completed within one business day, though the exact timing can depend on bank processing times. We strive to meet these timelines for the vast majority of withdrawals. If there is any expected delay (for instance, due to an unusually high volume of withdrawals, maintenance, or additional compliance review), we will inform you through the platform or via email. You will also receive a notification once your withdrawal has been processed and your funds have been sent out.

Note: We do not charge surprise fees for withdrawals, and any applicable withdrawal fees (if any) are clearly disclosed up front. Our withdrawal procedures are designed to balance speed with security, so you can have quick access to your assets without compromising safety.

Segregation of Assets

We maintain a strict separation between client assets and the company’s own assets, in full alignment with regulatory requirements:

Separate Crypto Wallets for Clients: All client-owned crypto-assets are held in dedicated wallets that are completely separate from the wallets used to hold the company’s assets. In practice, this means your crypto is stored in accounts that are only for clients, and we never mix our corporate funds with client crypto holdings. We also never use your crypto-assets for our own account – for example, we do not lend out, invest, or leverage your crypto for company purposes. Your assets remain your assets at all times, and we only act as a custodian holding them on your behalf.
Separate Bank Accounts for Client Funds: If you deposit traditional currency (fiat money) with us (for example, to fund your account or settle trades), those funds are held in segregated client bank accounts. These bank accounts are established solely for holding client funds and are not used for the company’s own operational funds. We deposit client fiat funds with reputable financial institutions or a central bank (as applicable) by the end of the next business day after we receive them. Each client account is individually identified, ensuring clarity about which funds belong to clients. This way, your money is ring-fenced and protected, separate from our company’s finances.
No Co-Mingling of Assets: Because of the above practices, there is a clear line between client assets and company assets. This segregation is monitored and audited. Our internal controls ensure that at any given time, we can account for all client assets separately from our own. We also keep detailed records of each client’s holdings (both crypto and fiat), which align with the segregated accounts where those holdings reside.
Protection in Case of Insolvency: In the unlikely event that our company encounters financial difficulties or insolvency, your assets remain protected. Since client assets are not part of our corporate balance sheet and are held in segregated accounts, they would not be available to our creditors. Instead, those assets would be recognized as belonging to clients. We have arrangements to ensure an orderly return of such assets to clients if ever required. In short, even if the company were to fail, your crypto-assets and funds would be shielded by this segregation and returned to you, preserving your ownership rights.

Insurance

We maintain an insurance policy to provide an extra layer of protection for client assets. While our first priority is to prevent issues from ever arising, this insurance is there to mitigate the impact if something unexpected does occur:

Coverage for Certain Risks: Our insurance is designed to cover certain losses related to crypto-assets in our custody. For example, in the unlikely event of a security breach, cyber-attack, or theft that results in the loss of client crypto-assets, our insurance policy would kick in to cover those losses. This means that even if our technical and procedural safeguards were breached (despite being robust), there is a financial backup to compensate affected clients. The insurance may also cover other risks like internal fraud or errors, depending on the final terms of the policy.
Additional Peace of Mind: By having insurance in place, we add an extra layer of reassurance for our clients. It complements our security measures — think of it as a safety net. While no insurance can guarantee a full recovery of all types of losses, our policy is there to significantly reduce the financial impact on clients, should an incident occur. This demonstrates our confidence in our security (since insurance companies rigorously evaluate our safeguards) and our commitment to standing behind our clients.
Policy Terms: We are in the process of finalizing the specific terms and coverage limits of our insurance policy. Once finalized, we will communicate the key points of coverage to our clients (for transparency). We do not disclose full details of the policy publicly for security and confidentiality reasons. However, we ensure that the coverage meets or exceeds regulatory requirements and industry norms for crypto-asset service providers. Note: Like any insurance, there may be certain exclusions or conditions (for instance, cases of extreme negligence or external events beyond defined scenarios). Our aim is to cover the most relevant risks and we will always act in good faith to use the insurance for the protection of our clients.

Compliance with MiCA

We adhere strictly to the MiCA regulation and all other applicable laws in how we safeguard client assets. Below is how our compliance with MiCA is reflected in this policy:

Meeting Regulatory Standards: The measures described in this policy meet or exceed the safeguarding standards that MiCA sets for crypto-asset service providers. MiCA requires, among other things, that providers protect clients’ ownership rights, segregate client assets from their own, and have plans for dealing with potential insolvency scenarios. We have implemented all of these requirements. For example, MiCA’s rules on segregation and custody (Art. 70 and Art. 75 of the regulation) are fulfilled by our dedicated client wallets, separate accounts, and strict custody controls described above. We also comply with MiCA’s capital and prudential requirements, which include holding a certain amount of financial safeguards (this is partly why we have insurance and other financial buffers in place).
Business Continuity & Operational Resilience: MiCA works in tandem with other regulations like DORA (Digital Operational Resilience Act) to ensure companies like ours manage operational risks. In compliance with these, we have the ICT security, backup, and recovery measures already outlined. Our ISO 27001-aligned processes and incident response plans ensure we also meet the operational resilience obligations mandated by regulators. This means our compliance isn’t just on paper – it’s proven through the robust systems we maintain for security and continuity.
Transparency to Clients: We believe in MiCA’s emphasis on consumer protection and transparency. Article 70 of MiCA, for instance, expects that clients are kept informed in clear, non-technical terms about how their assets are being protected. In line with this, we strive to communicate openly. This Safeguarding Policy is written in plain language to help you understand our protections. We will notify clients about important changes to our security or custody arrangements, and you can always request more information from us. Our goal is that you never have to wonder about the safety of your assets – you can feel confident because you know the safeguards in place and our commitment to follow through on them.
Ongoing Compliance and Updates: Regulations can evolve, and we continuously monitor for any changes or new guidelines under MiCA or related laws. We review our policies and procedures regularly (at least annually, and more often if needed) to ensure full compliance. If MiCA requirements are updated or if supervisory authorities issue new recommendations for client asset protection, we will promptly update our safeguards and this policy accordingly. We are also subject to audits and oversight by relevant regulators, and we welcome this oversight as it helps validate our compliance and identify any areas for improvement.

Conclusion

Your trust is our top priority. We combine top-tier technology, strict operational processes, insurance protection, and regulatory compliance to safeguard your crypto-assets. By following this policy and continuously improving our safeguards, we aim to give you peace of mind that your assets are protected at all times under our care. If you have any questions about how we protect your assets, please contact our support team – we are always here to help and provide additional information.